This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies.
Continue
Learn More

Some cookies on this site are essential, and the site won't work as expected without them. These cookies are set when you submit a form, login or interact with the site by doing something that goes beyond clicking on simple links.

We also use some non-essential cookies to anonymously track visitors or enhance your experience of the site.

To control third party cookies, you can also adjust your browser settings.

Don't let an auto-responder fool you during Sobig worm outbreak

August 20, 2003
Sophos Press Release

Sophos has received reports from customers concerned about auto-
responders that are wrongly accusing them of sending an email
infected with the W32/Sobig-F worm.

'Sender forging' or 'spoofing' is when an email address of an
infected computer is replaced with another address, often randomly
plucked off the infected computer by the virus. Sender forging is
normally done just before the virus sends itself out to more
potential victims. By changing the address in the 'Sender' field,
no one knows who sent the email or where it came from.

Some gateway applications that scan email attachments for viral
content email auto-reply when a virus is found. If the 'Sender'
name has been forged, the auto-reply can be received by an innocent
party, causing undue confusion and stress. A false accusation may
even harm your company's relationship with clients.

"Sobig-F is not the first virus to forge email addresses," said
Carole Theriault, technology consultant at Sophos Anti-Virus.
"Other notorious viruses such as Bugbear, Fizzer, Mimail and Klez have also used
spoofing. The confusion generated has often allowed viruses to
spread faster and wider."

Sophos recommends that users do not respond to emails from
auto-responders accusing them of being infected and spreading the
Sobig-F worm. However, they should consider double-checking their
computers for the latest viruses just in case they are genuinely
infected.

It is also advisable to run email gateway scanners such as
Sophos MailMonitor to block viruses
from being sent into or out from a network - however, as seen
above, Sophos advises that setting up an auto-respond mechanism is
fraught with problems.

Further reading: Read instructions on how to
remove the W32/Sobig-F worm and ensure your system is not
vulnerable to reinfection.

About Sophos

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at www.sophos.com/company.